Another Law Firm Suffers a Major Cyber Breach as Millions of Sensitive Client Documents Are Made Public in the “Paradise Papers”

Appleby, a multi-national law firm known for its tax planning services, is the latest law firm to suffer a major cyber breach in an event that has been dubbed the “Paradise Papers.” This breach mirrors the Panama Papers leak from two years ago, which exposed millions of documents from the Mossack Fonseca law firm.

Appleby, like Mossack Fonseca, is known for its high-net-worth clients and its use of offshore entities to assist them in tax planning. These features likely made Appleby an appealing target for a cyber-attack. The information contained in the leaked papers has prompted public criticism and calls for legal scrutiny of the firm, its clients, and the banks where the clients keep their money. The fruits of the cyber breach, 13.4 million leaked documents, were provided to news outlets to maximize the exposure of the information.

The source of the Appleby breach and the methods employed are not yet known. Nevertheless, the parallels to the breach of Mossack Fonseca should cause all organizations that service high-net-worth individuals to make sure that, in light of their heightened cyber risk, they are taking reasonable steps to protect their clients’ confidential data. Such firms, to the extent they are not already doing so, should consider implementing at least some of the following measures:

Utilizing surveillance and malware detection software.

Ensuring that software used by the company is up-to-date and that available patches are implemented as soon as reasonably practical.

Reviewing access controls regularly to ensure that they are up to date and that they restrict electronic data users to their necessary business functions.

Conducting periodic cybersecurity audits and penetration testing.

Requiring multi-factor authentication for remote access into computer systems and for very sensitive internal access points.

Requiring rotating complex passwords.

Monitoring the activity of authorized users to detect any unauthorized file access, as well as any large-scale downloading, copying or tampering with confidential information.

Conducting regular cybersecurity-awareness training.

The Davis Polk Cyber Breach Portal, which will launch early next year, has many resources to help enhance cybersecurity readiness. The Portal is currently being beta tested by a select group of clients.

We will be providing updates to the cybersecurity aspects of the Paradise Papers here at the Davis Polk Cyber Breach Center. Updates on other aspects of the Paradise Papers can be found at http://www.finregreform.com/

The listed lawyers gratefully acknowledge the assistance of law clerk Zachary Shapiro in preparing this post.

Topics

Archives

Subscribe by Email

RELATED PROFESSIONALS

Mr. Gesser is a partner in Davis Polk’s Litigation Department. He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations. He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force. In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues.

Mr. Leibowitz is a partner in Davis Polk’s Washington DC and New York offices. His practice focuses on the complex antitrust aspects of mergers and acquisitions as well as government and private antitrust investigations and litigation. He also provides counsel in the developing areas of consumer protection and privacy law as well as advocacy involving Congress.

Mr. MacBride is co-chair of the firm’s White Collar Criminal Defense and Government Investigations Group. His practice focuses on government enforcement actions, internal investigations, congressional investigations, and complex civil litigation. His matters have included advising clients in connection with foreign corrupt practices, economic sanctions, cybersecurity risks, False Claims Act violations, market manipulation, insider trading, and securities, health care, procurement and tax fraud. His wide-ranging investigations and trial experience span more than two decades and across all three branches of the government, most recently as the U.S. Attorney for the Eastern District of Virginia.

Mr. Perez-Marques is a partner in Davis Polk’s Litigation Department. His practice spans complex commercial litigation, including securities and M&A-related litigation, as well as securities enforcement and white collar matters. He also has extensive experience advising Spanish, Latin American and other foreign clients concerning U.S. litigation matters, and domestic clients concerning overseas and cross-border disputes.

Ms. Seshens is a partner in Davis Polk’s Litigation Department. Her practice focuses on complex commercial litigation, securities class actions, and bankruptcy litigation. She has extensive experience representing corporate clients and professional firms with respect to a wide range of civil litigation and advisory matters.

Ms. Gross is counsel in Davis Polk’s Intellectual Property and Technology Department in the Northern California office. Her practice includes a wide range of intellectual property-related matters, including strategic alliances, joint ventures and licensing, as well as intellectual property strategy and commercialization, copyright, patent and trademark matters. She also advises clients on data privacy and security matters, including cybersecurity, technology and data initiatives, development of privacy and data security policies and product development.

Disclaimer

cyberbreachcenter.com is a collection of informational products provided by Davis Polk & Wardwell LLP. In its capacity as provider of cyberbreachcenter.com and its component parts, Davis Polk is acting as an information provider.

cyberbreachcenter.com and its component parts do not constitute, and are not intended to constitute, legal advice with respect to any particular circumstance, do not create an attorney-client relationship with Davis Polk & Wardwell LLP or any of its associated entities and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.

About Davis Polk

Davis Polk ranks among the world’s preeminent law firms. Known for our skillful work, the excellence and breadth of our practice has kept us at the forefront of matters that are shaping global business. Read More